What weakening encryption would mean to enterprise data security

The tussle between Apple and the U.S. Justice Department over cracking into an iPhone used by one of the killers of 14 people in San Bernardino, California, has brought encryption into the public spotlight, but largely as a way to protect consumer privacy. Although the data on the iPhone in the case is encrypted, the FBI doesn't want Apple to break the encryption on the phone. All it wants Apple to do is disable the limit on the number of wrong passwords that can be entered before all the data on the phone is automatically destroyed.

"In recent years, new methods of electronic communication have transformed our society, most visibly by enabling ubiquitous digital communications and facilitating broad e-commerce. As such, it is important for our global economy and our national security to have strong encryption standards," FBI Director James B. Comey told Congress earlier this month. "The benefits of our increasingly digital lives, however, have been accompanied by new dangers, and we have been forced to consider how criminals and terrorists might use advances in technology to their advantage. We are seeing more and more cases where we believe significant evidence resides on a phone, a tablet, or a laptop—evidence that may be the difference between an offender being convicted or acquitted."

"If we cannot access this evidence, it will have ongoing, significant impacts on our ability to identify, stop, and prosecute these offenders." — FBI Director James B. Comey

What's keeping law enforcement from accessing this data? Strong encryption, law enforcement says, and it wants technology companies to find a solution to the problem. From Apple's perspective, it is just the top of a slippery slope that will lead to weakening of the encryption on the phone itself. Beyond Apple, enterprises argue that short of weakening encryption, they can't do what law enforcement wants. They maintain that what law enforcement wants will have a devastating impact on the privacy of people around the world, as well as ravaging enterprises, e-commerce, and the global economy.

Encryption and enterprise data security

Over the past 10 years, the use of encryption has become pervasive in the enterprise, so much so that it has become as common as electricity. That's why allowing anything but the strongest encryption would have far-reaching consequences. Weakening enterprise encryption couldn't come at a worse time for businesses, as well. "Every enterprise, every business, every government depends on encryption to not only work on the Internet but to work internally," said Kevin Bocek, vice president for security strategy and threat intelligence at Venafi.

"All the systems across the enterprise and across the data center use encryption to know if they're talking to a system that's trusted or not," he explained. "When a Windows or Mac boots up, it's checking hundreds of digital signatures that are encrypted," Bocek said. "So it's fundamental to everything that the modern enterprise is built on."

As enterprise perimeters become more porous, protecting the data within those perimeters becomes more important than ever. That's especially so as the enterprise has to accommodate data pouring into it from the Internet of Things. "You're going to have millions and millions of endpoints, so it's going to become much more important to protect your data, and encryption is one of the best ways to do it," said Peter Galvin, strategy vice president at Thales e-Security, a key management and network encryption company.

That's not to say that encryption hasn't started to create problems for the enterprise just as it has for the FBI. "Because of how much and how blindly the enterprise relies on encryption, it can create problems, particularly when we get bad guys who want to hide in blind spots created by encryption," Venafi's Bocek said.

If encryption is compromised, IT's job is impossible

Without strong encryption, IT's job would be onerous if not impossible. "It would be incredibly difficult and incredibly dangerous if IT did not have encryption," Keeper Security's Guccione said. "I don't know how they would safeguard their customers' information and keep it secure."

Many organizations keep their data safe by building layers of defense around it. "IT has become comfortable with a layered defense approach for some time," said John Grimm, senior director of product marketing for Thales e-Security. "Encryption is one of those layers that is really powerful because it follows your data. Instead of being reliant on the infrastructure that the data is sitting on, by using encryption you can have a data-centric approach where protection follows the data."

"That is a very powerful weapon in IT's arsenal," he added. "Without it, you lose your ubiquity, which is so important now that data is going to so many different places."

Without encryption, IT would be forced to battle 21st-century adversaries with outdated tools. "Think about what life was like before mobile phones or even the telephone," said Phil Dunkelberger, CEO of Nok Nok Labs. "Encryption is a major need and friend for IT and will continue to be," he added.

IT dystopia

A world where strong encryption did not exist for IT would be a reactionary person's dreamland. "You'd have to disconnect yourself from the global infrastructure. The only way you could provide security is by not providing outside connectivity," said Chris Peel, vice president of engineering at Echoworx. "It would disrupt businesses. They would not be able to operate online. They would not be able to allow employees to operate remotely. It's not a very viable business model in today's world."

"If you removed encryption as an option for IT, you would be rolling back the clock to 1980." — Chris Peel, Echoworx

Nok Nok's Dunkelberger agreed. "I have a hard time imagining that world," he said. "Based on how the world's communications systems have evolved over the recent years, it would set back business by decades and stall growth."

Alternatives to encryption do not measure up

Although security experts don't believe there are any viable alternatives to strong encryption, some law enforcement officials have suggested that "pretty good encryption" will suffice for most users. Such encryption usually includes some kind of "back door" that will give governments access to anything that's encrypted.

The problem with that kind of alternative is that if such a back door exists, it will exist for anyone who can find it. "Something is either secure or it's not," Echoworx's Peel declared. "If you water encryption down for law enforcement, then you're also watering it down for nefarious individuals who want to steal your identity and access your bank account information. Either everything is secure or nothing is secure."

Law enforcement maintains that back doors are necessary for national security, but the opposite may be true, counters Jay Kaplan, a former counterterrorism cyber analyst for the National Security Agency who is now CEO of Synack, a threat intelligence company. "If we start shifting to side with national security, the implications could actually be that we further damage national security by giving other state governments and even sophisticated terrorist organizations a mechanism to decrypt what would be sensitive communications," he said.

By forcing commercial firms to weaken their encryption, law enforcement will only force the people it's trying to rein in to get their encryption elsewhere. "There are hundreds of encryption products out there that could be used by bad actors to do what they want to do," said John Gunn, vice president of communications for Vasco Data Security, a provider of two-factor authentication and digital signature solutions to financial institutions. "There's no way bad actors can be stopped from using strong encryption."

"Once encryption is weakened, the only people who will be powerless are those who are law-abiding," added Nathan Leamer, outreach manager and policy analyst for the R Street Institute, a nonprofit public-policy research organization.